SlideShare ist ein Scribd-Unternehmen logo

Patch management policy_final

Ayubu Churi
Ayubu Churi

This document outlines the University of Exeter's patch management policy. It defines the scope of IT systems covered, including those managed by third parties. The policy requires that all systems must have up-to-date operating systems and applications, and install critical and high risk patches within 14 days. It assigns roles for patching activities and requires monitoring and reporting on patching status. The policy is reviewed annually or as needed to ensure alignment with relevant laws and best practices.

Design
1 von 6
Downloaden Sie, um offline zu lesen
Patch Management Policy v1 1 Patch Management Policy (Version 1) Document Control Information: Date: 21/5/18 Master Tracking Name Patch Management Policy Master Tracking Reference Owning Service / Department Exeter IT Issue: 1 Approvals: Authors: P. Jones, T. Dyhouse and Ali Mitchell Approved By: Exeter IT Senior Management Team Authorised By: Chief Information & Digital Officer
Patch Management Policy v1 2 Document Control Author Version Date Issued Changes Approval P. Jones 0.1 04/09/17 Creation of document T. Dyhouse 0.2 27/09/17 QA of V0.1 addition of CAB measures. P Jones 0.3 October 2017 Updates from CGR and split into two documents. Ali Mitchell 1.0 May 2018 Format and added in Third Party Suppliers Published Next review due: July 2018
Patch Management Policy v1 3 Contents 1 Introduction…………………………………………………………………….4 2 Purpose………………………………………………………………………….4 3 Definitions………………………………………………………………………4 4 Scope…………………………………………………………………………….4 5 Policy…………………………………………………………………………….5 6 Roles and responsibilities……………………………………………………6 7 Monitoring and reporting……………………………………………………..6 8 Policy review and maintenance……………………………………………..6 9 Advice……………………………………………………………………………6
Patch Management Policy v1 4 1. Introduction The University of Exeter has a responsibility to uphold the confidentiality, integrity and availability of the data held on its IT systems on and off site which includes systems and services supplied by third parties. The university has an obligation to provide appropriate and adequate protection of all IT estate whether it is IT systems on premise, in the Cloud or systems and services supplied by third parties. Effective implementation of this policy reduces the likelihood of compromise which may come from a malicious threat actor or threat source. 2. Purpose This document describes the requirements for maintaining up-to-date operating system security patches and software version levels on all the University of Exeter owned estate and services supplied by third parties. 3. Definitions The term IT systems includes:  Workstations  Servers (physical and virtual)  Firmware  Networks (including hardwired, Wi-Fi, switches, routers etc.)  Hardware  Software (databases, platforms etc.)  Applications (including mobile apps)  Cloud Services 4. Scope This policy applies to:  Workstations, servers, networks, hardware devices, software and applications owned by the University of Exeter and managed by Exeter IT. This includes third parties supporting University of Exeter IT systems.  Systems that contain company or customer data owned or managed by Exeter IT regardless of location. Again, this includes third party suppliers.  CCTV systems where recordings are backed up to the University’s networks.  Point of payment terminals using University of Exeter’s networks.  Third party suppliers of IT systems as defined in Section 3.
Patch Management Policy v1 5 5. Policy University controls:  All IT systems (as defined in section 3), either owned by the University of Exeter or those in the process of being developed and supported by third parties, must be manufacturer supported and have up-to-date and security patched operating systems and application software.  Security patches must be installed to protect the assets from known vulnerabilities.  Any patches categorised as ‘Critical’ or ‘High risk’ by the vendor must be installed within 14 days of release from the operating system or application vendor unless prevented by University IT Change Control (CAB – Change Advisory Board) procedures.  Where CAB procedures prevent the installation of ‘Critical’ or ‘High risk’ security patches within 14 days a temporary means of mitigation will be applied to reduce the risk. o Workstations  All desktops and laptops that are managed by Exeter IT must meet the Laptop and Workstation Build Policy minimum requirements in build and setup. Any exceptions shall be documented and reported to Exeter IT Head of IT Security and Compliance. o Servers  Servers must comply with the recommended minimum requirements that are specified by Exeter IT which includes the default operating system level, service packs, hotfixes and patching levels. Any exceptions shall be documented and reported to Exeter IT Head of Security and Compliance. Third Party Suppliers: Security patches must be up-to-date for IT systems which are being designed and delivered by third party suppliers prior to going operational. Third party suppliers much be prepared to provide evidence of up-to-date patching before IT systems are accepted into service and thus become operational. Once the IT systems are operational the following patching timescales apply:  Critical or High Risk vulnerabilities – 14 calendar days  Medium – 21 calendar days  Low – 28 calendar days
Patch Management Policy v1 6 6. Roles and Responsibilities  Exeter IT. o Will manage the patching needs for the Windows, Apple Mac OS and Linux estate that is connected to the University of Exeter domain. o Responsible for routinely assessing compliance with the patching policy and will provide guidance to all the stakeholder groups in relation to issues of security and patch management.  Change Advisory Board. o Responsible for approving the monthly and emergency patch management deployment requests.  End User. o The end user has a responsibility to ensure that patches are installed and the machine is rebooted when required. Any problems must be reported to Exeter IT.  Third Party Suppliers o Will ensure security patches must be up-to-date for IT systems which are being designed and delivered by third party suppliers prior to going operational. o Once the IT systems are operational third party suppliers must ensure vulnerability patching is carried out as stipulated in Section 5 – Policy. Where this is not possible, this must be escalated to the Head of IT Security and Compliance. 7. Monitoring and Reporting Those with patching roles as detailed in section 6 above are required to compile and maintain reporting metrics that summarise the outcome of each patching cycle. These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk. These reports shall be made available to Cyber Security Team and Internal Audit upon request. 8. Policy Review and Maintenance The Policy will be reviewed and updated, annually, or as needed, to ensure that the policy remains aligned with changes to relevant laws, contractually obligations and best practice. 9. For advice Please contact either the Head of IT Security and Compliance or the IT Operations and Security Manager. Queries can be emailed to information-security@exeter.ac.uk

Empfohlen

Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security Controls
Ivanti
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
Ivanti
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
Ivanti
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013
Vicky Ames
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 

Empfohlen

Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Everything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security ControlsEverything You Need To Know About Ivanti Security Controls
Everything You Need To Know About Ivanti Security Controls
Ivanti
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
Ivanti
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
Ivanti
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013
Vicky Ames
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
AlienVault
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
Lumension
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
AlienVault
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
John M. Willis
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
newbie2019
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
Priyanka Aash
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Qualys
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
AlienVault
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability Management
Vicky Ames
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire
Priyanka Aash
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
software-engineering-book
 
PLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdfPLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdf
josemaza20
 
Policy and procedure of hospitals
Policy and procedure of hospitalsPolicy and procedure of hospitals
Policy and procedure of hospitals
Mohammed Alabdali
 

Weitere ähnliche Inhalte

Was ist angesagt?

Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
Lumension
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
AlienVault
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Qualys
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability Management
Vicky Ames
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 

Was ist angesagt? (20)

Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
Webcast Series #3: GDPR Deadline Readiness and Impact to Global Organizations...
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability Management
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 

Ähnlich wie Patch management policy_final

Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remai
alehosickg3
 
201810003 201750007project report
201810003 201750007project report201810003 201750007project report
201810003 201750007project report
ssuser219889
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
shantayjewison
 
IT Application Support Analyst Job Spec
IT Application Support Analyst Job SpecIT Application Support Analyst Job Spec
IT Application Support Analyst Job Spec
Lorraine Hodder
 
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docxCONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
donnajames55
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprise
bagnalldarren
 
Capstone Finished Presentation.doc
Capstone Finished Presentation.docCapstone Finished Presentation.doc
Capstone Finished Presentation.doc
Kapricia Morris
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
dewhirstichabod
 
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
karisariddell
 

Ähnlich wie Patch management policy_final (20)

PLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdfPLAN DE CONTINGENCIA.pdf
PLAN DE CONTINGENCIA.pdf
 
Policy and procedure of hospitals
Policy and procedure of hospitalsPolicy and procedure of hospitals
Policy and procedure of hospitals
 
Task 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remaiTask 1.Complete the BIA table below and use it for the remai
Task 1.Complete the BIA table below and use it for the remai
 
Network Developement Capstone Project 2009 Sping Quarter
Network Developement Capstone Project 2009 Sping QuarterNetwork Developement Capstone Project 2009 Sping Quarter
Network Developement Capstone Project 2009 Sping Quarter
 
201810003 201750007project report
201810003 201750007project report201810003 201750007project report
201810003 201750007project report
 
Guidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptxGuidelines on Cyber Security in Power Sector 2021_R.pptx
Guidelines on Cyber Security in Power Sector 2021_R.pptx
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
 
Absolute grc-
Absolute grc-Absolute grc-
Absolute grc-
 
Capstone Finished
Capstone FinishedCapstone Finished
Capstone Finished
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
 
IT Application Support Analyst Job Spec
IT Application Support Analyst Job SpecIT Application Support Analyst Job Spec
IT Application Support Analyst Job Spec
 
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docxCONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
CONSULTANT ANALYSIS FOR MEDICAL FACILITY2CONSULTANT ANALYSIS FO.docx
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprise
 
IIOT on Variable Frequency Drives
IIOT on Variable Frequency DrivesIIOT on Variable Frequency Drives
IIOT on Variable Frequency Drives
 
Case Study - Monitoring and Evaluating the working of Telenor and ZTE
Case Study - Monitoring and Evaluating the working of Telenor and ZTECase Study - Monitoring and Evaluating the working of Telenor and ZTE
Case Study - Monitoring and Evaluating the working of Telenor and ZTE
 
Capstone Finished Presentation.doc
Capstone Finished Presentation.docCapstone Finished Presentation.doc
Capstone Finished Presentation.doc
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatance
 
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
1 CITY OF DuPONT REQUEST FOR PROPOSALS .docx
 

Kürzlich hochgeladen

Nisha Yadav Escorts Service Ernakulam ❣️ 7014168258 ❣️ High Cost Unlimited Ha...
Nisha Yadav Escorts Service Ernakulam ❣️ 7014168258 ❣️ High Cost Unlimited Ha...Nisha Yadav Escorts Service Ernakulam ❣️ 7014168258 ❣️ High Cost Unlimited Ha...
Nisha Yadav Escorts Service Ernakulam ❣️ 7014168258 ❣️ High Cost Unlimited Ha...
nirzagarg
 
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
amitlee9823
 
Call Girls Jalgaon Just Call 8617370543Top Class Call Girl Service Available
Call Girls Jalgaon Just Call 8617370543Top Class Call Girl Service AvailableCall Girls Jalgaon Just Call 8617370543Top Class Call Girl Service Available
Call Girls Jalgaon Just Call 8617370543Top Class Call Girl Service Available
Nitya salvi
 
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
dollysharma2066
 
Abortion pill for sale in Muscat (+918761049707)) Get Cytotec Cash on deliver...
Abortion pill for sale in Muscat (+918761049707)) Get Cytotec Cash on deliver...Abortion pill for sale in Muscat (+918761049707)) Get Cytotec Cash on deliver...
Abortion pill for sale in Muscat (+918761049707)) Get Cytotec Cash on deliver...
instagramfab782445
 
Just Call Vip call girls Etawah Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Etawah Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls Etawah Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Etawah Escorts ☎️9352988975 Two shot with one girl (...
gajnagarg
 
➥🔝 7737669865 🔝▻ dharamshala Call-girls in Women Seeking Men 🔝dharamshala🔝 ...
➥🔝 7737669865 🔝▻ dharamshala Call-girls in Women Seeking Men 🔝dharamshala🔝 ...➥🔝 7737669865 🔝▻ dharamshala Call-girls in Women Seeking Men 🔝dharamshala🔝 ...
➥🔝 7737669865 🔝▻ dharamshala Call-girls in Women Seeking Men 🔝dharamshala🔝 ...
amitlee9823
 
ab-initio-training basics and architecture
ab-initio-training basics and architectureab-initio-training basics and architecture
ab-initio-training basics and architecture
saipriyacoool
 
Hire 💕 8617697112 Meerut Call Girls Service Call Girls Agency
Hire 💕 8617697112 Meerut Call Girls Service Call Girls AgencyHire 💕 8617697112 Meerut Call Girls Service Call Girls Agency
Hire 💕 8617697112 Meerut Call Girls Service Call Girls Agency
Nitya salvi
 
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
Delhi Call girls
 
➥🔝 7737669865 🔝▻ dehradun Call-girls in Women Seeking Men 🔝dehradun🔝 Escor...
➥🔝 7737669865 🔝▻ dehradun Call-girls in Women Seeking Men 🔝dehradun🔝 Escor...➥🔝 7737669865 🔝▻ dehradun Call-girls in Women Seeking Men 🔝dehradun🔝 Escor...
➥🔝 7737669865 🔝▻ dehradun Call-girls in Women Seeking Men 🔝dehradun🔝 Escor...
amitlee9823
 
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
RT Nagar Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
RT Nagar Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...RT Nagar Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
RT Nagar Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
amitlee9823
 
Hingoli ❤CALL GIRL 8617370543 ❤CALL GIRLS IN Hingoli ESCORT SERVICE❤CALL GIRL
Hingoli ❤CALL GIRL 8617370543 ❤CALL GIRLS IN Hingoli ESCORT SERVICE❤CALL GIRLHingoli ❤CALL GIRL 8617370543 ❤CALL GIRLS IN Hingoli ESCORT SERVICE❤CALL GIRL
Hingoli ❤CALL GIRL 8617370543 ❤CALL GIRLS IN Hingoli ESCORT SERVICE❤CALL GIRL
Nitya salvi
 
Vip Mumbai Call Girls Borivali Call On 9920725232 With Body to body massage w...
Vip Mumbai Call Girls Borivali Call On 9920725232 With Body to body massage w...Vip Mumbai Call Girls Borivali Call On 9920725232 With Body to body massage w...
Vip Mumbai Call Girls Borivali Call On 9920725232 With Body to body massage w...
amitlee9823
 
Whitefield Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Ba...
Whitefield Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Ba...Whitefield Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Ba...
Whitefield Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Ba...
amitlee9823
 
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
SUHANI PANDEY
 

Kürzlich hochgeladen (20)

Q4-W4-SCIENCE-5 power point presentation
Q4-W4-SCIENCE-5 power point presentationQ4-W4-SCIENCE-5 power point presentation
Q4-W4-SCIENCE-5 power point presentation
 
Nisha Yadav Escorts Service Ernakulam ❣️ 7014168258 ❣️ High Cost Unlimited Ha...
Nisha Yadav Escorts Service Ernakulam ❣️ 7014168258 ❣️ High Cost Unlimited Ha...Nisha Yadav Escorts Service Ernakulam ❣️ 7014168258 ❣️ High Cost Unlimited Ha...
Nisha Yadav Escorts Service Ernakulam ❣️ 7014168258 ❣️ High Cost Unlimited Ha...
 
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Basapura ☎ 7737669865☎ Book Your One night Stand (Bangalore)
 
High Profile Escorts Nerul WhatsApp +91-9930687706, Best Service
High Profile Escorts Nerul WhatsApp +91-9930687706, Best ServiceHigh Profile Escorts Nerul WhatsApp +91-9930687706, Best Service
High Profile Escorts Nerul WhatsApp +91-9930687706, Best Service
 
Call Girls Jalgaon Just Call 8617370543Top Class Call Girl Service Available
Call Girls Jalgaon Just Call 8617370543Top Class Call Girl Service AvailableCall Girls Jalgaon Just Call 8617370543Top Class Call Girl Service Available
Call Girls Jalgaon Just Call 8617370543Top Class Call Girl Service Available
 
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
 
Lecture 01 Introduction To Multimedia.pptx
Lecture 01 Introduction To Multimedia.pptxLecture 01 Introduction To Multimedia.pptx
Lecture 01 Introduction To Multimedia.pptx
 
Abortion pill for sale in Muscat (+918761049707)) Get Cytotec Cash on deliver...
Abortion pill for sale in Muscat (+918761049707)) Get Cytotec Cash on deliver...Abortion pill for sale in Muscat (+918761049707)) Get Cytotec Cash on deliver...
Abortion pill for sale in Muscat (+918761049707)) Get Cytotec Cash on deliver...
 
Just Call Vip call girls Etawah Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Etawah Escorts ☎️9352988975 Two shot with one girl (...Just Call Vip call girls Etawah Escorts ☎️9352988975 Two shot with one girl (...
Just Call Vip call girls Etawah Escorts ☎️9352988975 Two shot with one girl (...
 
➥🔝 7737669865 🔝▻ dharamshala Call-girls in Women Seeking Men 🔝dharamshala🔝 ...
➥🔝 7737669865 🔝▻ dharamshala Call-girls in Women Seeking Men 🔝dharamshala🔝 ...➥🔝 7737669865 🔝▻ dharamshala Call-girls in Women Seeking Men 🔝dharamshala🔝 ...
➥🔝 7737669865 🔝▻ dharamshala Call-girls in Women Seeking Men 🔝dharamshala🔝 ...
 
ab-initio-training basics and architecture
ab-initio-training basics and architectureab-initio-training basics and architecture
ab-initio-training basics and architecture
 
Hire 💕 8617697112 Meerut Call Girls Service Call Girls Agency
Hire 💕 8617697112 Meerut Call Girls Service Call Girls AgencyHire 💕 8617697112 Meerut Call Girls Service Call Girls Agency
Hire 💕 8617697112 Meerut Call Girls Service Call Girls Agency
 
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
call girls in Kaushambi (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝...
 
➥🔝 7737669865 🔝▻ dehradun Call-girls in Women Seeking Men 🔝dehradun🔝 Escor...
➥🔝 7737669865 🔝▻ dehradun Call-girls in Women Seeking Men 🔝dehradun🔝 Escor...➥🔝 7737669865 🔝▻ dehradun Call-girls in Women Seeking Men 🔝dehradun🔝 Escor...
➥🔝 7737669865 🔝▻ dehradun Call-girls in Women Seeking Men 🔝dehradun🔝 Escor...
 
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Brookefield Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
RT Nagar Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
RT Nagar Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...RT Nagar Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
RT Nagar Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
 
Hingoli ❤CALL GIRL 8617370543 ❤CALL GIRLS IN Hingoli ESCORT SERVICE❤CALL GIRL
Hingoli ❤CALL GIRL 8617370543 ❤CALL GIRLS IN Hingoli ESCORT SERVICE❤CALL GIRLHingoli ❤CALL GIRL 8617370543 ❤CALL GIRLS IN Hingoli ESCORT SERVICE❤CALL GIRL
Hingoli ❤CALL GIRL 8617370543 ❤CALL GIRLS IN Hingoli ESCORT SERVICE❤CALL GIRL
 
Vip Mumbai Call Girls Borivali Call On 9920725232 With Body to body massage w...
Vip Mumbai Call Girls Borivali Call On 9920725232 With Body to body massage w...Vip Mumbai Call Girls Borivali Call On 9920725232 With Body to body massage w...
Vip Mumbai Call Girls Borivali Call On 9920725232 With Body to body massage w...
 
Whitefield Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Ba...
Whitefield Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Ba...Whitefield Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Ba...
Whitefield Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Ba...
 
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
VIP Model Call Girls Kalyani Nagar ( Pune ) Call ON 8005736733 Starting From ...
 

Patch management policy_final

  • 1. Patch Management Policy v1 1 Patch Management Policy (Version 1) Document Control Information: Date: 21/5/18 Master Tracking Name Patch Management Policy Master Tracking Reference Owning Service / Department Exeter IT Issue: 1 Approvals: Authors: P. Jones, T. Dyhouse and Ali Mitchell Approved By: Exeter IT Senior Management Team Authorised By: Chief Information & Digital Officer
  • 2. Patch Management Policy v1 2 Document Control Author Version Date Issued Changes Approval P. Jones 0.1 04/09/17 Creation of document T. Dyhouse 0.2 27/09/17 QA of V0.1 addition of CAB measures. P Jones 0.3 October 2017 Updates from CGR and split into two documents. Ali Mitchell 1.0 May 2018 Format and added in Third Party Suppliers Published Next review due: July 2018
  • 3. Patch Management Policy v1 3 Contents 1 Introduction…………………………………………………………………….4 2 Purpose………………………………………………………………………….4 3 Definitions………………………………………………………………………4 4 Scope…………………………………………………………………………….4 5 Policy…………………………………………………………………………….5 6 Roles and responsibilities……………………………………………………6 7 Monitoring and reporting……………………………………………………..6 8 Policy review and maintenance……………………………………………..6 9 Advice……………………………………………………………………………6
  • 4. Patch Management Policy v1 4 1. Introduction The University of Exeter has a responsibility to uphold the confidentiality, integrity and availability of the data held on its IT systems on and off site which includes systems and services supplied by third parties. The university has an obligation to provide appropriate and adequate protection of all IT estate whether it is IT systems on premise, in the Cloud or systems and services supplied by third parties. Effective implementation of this policy reduces the likelihood of compromise which may come from a malicious threat actor or threat source. 2. Purpose This document describes the requirements for maintaining up-to-date operating system security patches and software version levels on all the University of Exeter owned estate and services supplied by third parties. 3. Definitions The term IT systems includes:  Workstations  Servers (physical and virtual)  Firmware  Networks (including hardwired, Wi-Fi, switches, routers etc.)  Hardware  Software (databases, platforms etc.)  Applications (including mobile apps)  Cloud Services 4. Scope This policy applies to:  Workstations, servers, networks, hardware devices, software and applications owned by the University of Exeter and managed by Exeter IT. This includes third parties supporting University of Exeter IT systems.  Systems that contain company or customer data owned or managed by Exeter IT regardless of location. Again, this includes third party suppliers.  CCTV systems where recordings are backed up to the University’s networks.  Point of payment terminals using University of Exeter’s networks.  Third party suppliers of IT systems as defined in Section 3.
  • 5. Patch Management Policy v1 5 5. Policy University controls:  All IT systems (as defined in section 3), either owned by the University of Exeter or those in the process of being developed and supported by third parties, must be manufacturer supported and have up-to-date and security patched operating systems and application software.  Security patches must be installed to protect the assets from known vulnerabilities.  Any patches categorised as ‘Critical’ or ‘High risk’ by the vendor must be installed within 14 days of release from the operating system or application vendor unless prevented by University IT Change Control (CAB – Change Advisory Board) procedures.  Where CAB procedures prevent the installation of ‘Critical’ or ‘High risk’ security patches within 14 days a temporary means of mitigation will be applied to reduce the risk. o Workstations  All desktops and laptops that are managed by Exeter IT must meet the Laptop and Workstation Build Policy minimum requirements in build and setup. Any exceptions shall be documented and reported to Exeter IT Head of IT Security and Compliance. o Servers  Servers must comply with the recommended minimum requirements that are specified by Exeter IT which includes the default operating system level, service packs, hotfixes and patching levels. Any exceptions shall be documented and reported to Exeter IT Head of Security and Compliance. Third Party Suppliers: Security patches must be up-to-date for IT systems which are being designed and delivered by third party suppliers prior to going operational. Third party suppliers much be prepared to provide evidence of up-to-date patching before IT systems are accepted into service and thus become operational. Once the IT systems are operational the following patching timescales apply:  Critical or High Risk vulnerabilities – 14 calendar days  Medium – 21 calendar days  Low – 28 calendar days
  • 6. Patch Management Policy v1 6 6. Roles and Responsibilities  Exeter IT. o Will manage the patching needs for the Windows, Apple Mac OS and Linux estate that is connected to the University of Exeter domain. o Responsible for routinely assessing compliance with the patching policy and will provide guidance to all the stakeholder groups in relation to issues of security and patch management.  Change Advisory Board. o Responsible for approving the monthly and emergency patch management deployment requests.  End User. o The end user has a responsibility to ensure that patches are installed and the machine is rebooted when required. Any problems must be reported to Exeter IT.  Third Party Suppliers o Will ensure security patches must be up-to-date for IT systems which are being designed and delivered by third party suppliers prior to going operational. o Once the IT systems are operational third party suppliers must ensure vulnerability patching is carried out as stipulated in Section 5 – Policy. Where this is not possible, this must be escalated to the Head of IT Security and Compliance. 7. Monitoring and Reporting Those with patching roles as detailed in section 6 above are required to compile and maintain reporting metrics that summarise the outcome of each patching cycle. These reports shall be used to evaluate the current patching levels of all systems and to assess the current level of risk. These reports shall be made available to Cyber Security Team and Internal Audit upon request. 8. Policy Review and Maintenance The Policy will be reviewed and updated, annually, or as needed, to ensure that the policy remains aligned with changes to relevant laws, contractually obligations and best practice. 9. For advice Please contact either the Head of IT Security and Compliance or the IT Operations and Security Manager. Queries can be emailed to information-security@exeter.ac.uk